beautypg.com

Security zone configuration example, Network requirements – H3C Technologies H3C SecBlade FW Cards User Manual

Page 5

background image

4

Item Description

Preference

Specify preference of the specified zone.
By default, packets from a high priority zone to a low priority zone are allowed to
pass.

Share

Specify whether the specified zone can be referenced by other virtual devices.

Interface
Name

Interfa
ce

The interfaces that have been added to the security zone are in the selected status, and
the interfaces that can be added but have not been added to a security zone are in the

non-selected status.

VLAN

When you add Layer 2 Ethernet interfaces, you must specify the range of VLANs to be
added to the security zone. The VLANs must belong to the virtual firewall to which the

security zone belongs and have not been added to other security zones.

Security zone configuration example

Network requirements

As shown in

Figure 5

,

A company uses a SecBlade firewall to connect the internal network and the Internet and provides
WWW and FTP services for the Internet. You need to perform basic security zone configurations on

the firewall to prepare for the configurations of security policies.

The internal network is a trusted network and can access the internal servers and the Internet freely.
You can assign the internal network connected to Ten-GigabitEthernet 0/0.1 on SecBlade to the

Trust zone with a higher priority.

The Internet is an untrusted network, and you need to use strict security rules to control access from
it to the internal network and servers. You can assign the Internet connected to Ten-GigabitEthernet

0/0.3 on SecBlade to the Untrust zone with a lower priority.

If you deploy the WWW server and the FTP server on the Internet, security cannot be ensured; if
you deploy them on the internal network, external users may make use of security holes to attack the

internal network. Therefore, you can assign the servers connected to Ten-GigabitEthernet 0/0.2 on

SecBlade to the DMZ zone with a priority higher than the Untrust zone but lower than the Trust zone.
In this way, the servers in the DMZ zone can freely access the Internet in the Untrust zone with a

lower priority, but when it accesses the internal network in the Trust zone with a higher priority, its

access is controlled by the security rules.

See also other documents in the category H3C Technologies Safety: